On 22/02/2017 08:18, Ethariel wrote:
I've tried to insert in the users file :
customer2 Calling-Station-Id := "BB-BB-BB-BB-BB-BB"
but with correct password customer2 is always authenticated using the BB-....-BB mac adress or not.
The users file has some magic you need to know about. The structure of each entry is like this: <key> <first line> <subsequent lines> Any comparison operators (like ==) in the first line cause an attribute to the *checked* on the *request* list. If any of the checks fail, this entire entry in the users file is skipped. If there are more entries with the same key, it will try those. However, if all the checks on the first line succeed, then: * Any assignment operators (like :=) in the first line cause attributes to be *set* on the *control* list * The subsequent lines cause attributes to be *set* on the *reply* list. So you could do this: customer2 Auth-Type := Reject, Calling-Station-Id != "BB-BB-BB-BB-BB-BB" This means: "if the user name is customer2, AND the (request) calling station id is not the given value, THEN set control:Auth-Type to Reject". It will then reject them without even checking the supplied password. You could also add reply attributes if you wish: customer2 Auth-Type := Reject, Calling-Station-Id != "BB-BB-BB-BB-BB-BB" Reply-Message := "Wrong MAC Address" If the condition is not true, this entire entry is skipped, so neither Auth-Type nor Reply-Message is set. If you want to allow multiple MAC addresses then you could either do a regex match, or you could split the logic like this: customer2 Calling-Station-Id == "BB-BB-BB-BB-BB-BB" customer2 Calling-Station-Id == "CC-CC-CC-CC-CC-CC" customer2 Auth-Type := Reject Reply-Message := "Wrong MAC Address" The first two entries make no updates to either control or reply lists. However since they don't have "Fall-Through := 1" then all subsequent entries for the same username are skipped. All examples above untested by me, but should be close to what you need. Regards, Brian.